Part 2, Chapter 7: Manual Exhibit 2-7-I
Policy and Procedure for Sending and
Receiving Protected Information by Facsimile
- PURPOSE. To publish Indian Health Service (IHS) policy and procedures for transmitting patient medical and/or protected health information (PHI) by facsimile (FAX) which will best safeguard the confidentiality of such records. Due to the complex and distinct issues related to computer-based electronic transmission of PHI and/or patient medical information this manual exhibit is not intended to address the safeguards necessary to ensure the confidentiality of that particular form of patient health information or patient medical information transmission.
- Privacy Act of 1974 as amended, 5 United States Code (U.S.C.) § 552a,
- Health Insurance Portability and Accountability Act Privacy Rule, 45 Code of Federal Regulations (CFR) Parts 160 and 164
- POLICY. It is policy of the IHS to ensure that patient PHI sent or received by IHS facilities are handled in a manner that protects against unauthorized disclosure of such PHI to third parties.
- RESPONSIBILITIES. It shall be the responsibility of all IHS staff to ensure compliance with the policy and procedures published in this manual exhibit.
- BACKGROUND. The fax machine is a widely used means to instantly send and receive written documentation. Understandably, fax machines are now used regularly to transmit PHI, as they are important tools used both to assist in the provision of patient care and to facilitate the medical billing process. While no common methods of transmission of patient PHI are infallible with respect to security, the transmission of patient PHI via fax machines raises legitimate concerns regarding the confidentiality of PHI. Without proper safeguards to ensure that PHI is faxed in accordance with strict protocols, there is significant risk that the confidentiality of those records will be compromised. In accordance with the express requirements set forth in the Privacy Act, it is incumbent upon the IHS to “establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated embarrassment, inconvenience, or unfairness to any individual on whom information is obtained.” (5 U.S.C. § 552a(e)(10)). This policy is intended to establish such appropriate administrative, technical, and physical safeguards for the faxing of patient PHI.
- Medical Records. Covers the same categories of records as those identified as being part of the IHS Privacy Act System of Records, Medical, Health, and Billing Records, 09-17-0001, 70 Fed. Reg. 77405 (December 30,2005) and a corrected notice of February 9, 2006 (71 Fed. Reg. 6781).
- Emergency Medical Condition. A medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:
- placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy;
- serious impairment to bodily functions; or
- serious dysfunction of any bodily organ or part.
- FAX Activity Confirmation Report. A Fax Activity Confirmation (FAC) Report is a document automatically generated by the fax machine that confirms whether the fax transmission has been successful and which prints the destination fax number.
- FAX Activity Report Journal. The fax Activity Report Journal (ARJ) is a manually generated log that may be used to identify how each incoming fax was handled, confirm the successful transmission of each outgoing fax, and/or identify any errors that have occurred in the sending or receiving of faxes.
- Highly Sensitive Patient Health and/or Medical Information. Any patient PHI relating to:
- testing for Human Immunodeficiency Virus (HIV) or other sexually transmitted diseases, or treatment related to HIV or other sexually transmitted diseases;
- testing for cancer or other life-threatening illnesses; or
- the diagnosis, treatment, or referral for treatment of sexual abuse/assault, mental illness and/or alcohol or substance abuse.
- Mail. All IHS facilities are encouraged to send and receive patient PHI by mail whenever practical.
- Fax Machines. The use of fax machines to send and receive patient PHI pose certain risks of improper disclosure of confidential patient information. Whenever it is necessary to fax patient PHI, the transmission of patient PHI by fax should be limited to the minimum amount necessary to accomplish the intended purpose. Furthermore, the means by which patient information is to be transmitted depends on the clinical circumstances. In any case involving a question as to the appropriateness of using the fax machine to transmit patient PHI, the appropriate clinician shall make the final determination. Strict adherence to the following fax procedures is required:
- Prohibition Against FAXing Certain Highly Sensitive PHI. Except in cases where an IHS provider has determined that the transmission of PHI by fax is necessary to assist in the treatment of the emergency medical condition, “highly sensitive patient health information or patient medical information” (as defined in section 4E above) shall not be faxed by the facility, but instead must be sent by inter-office mail, regular or express mail in an envelope marked [“CONFIDENTIAL: TO BE OPENED BY ADDRESSEE ONLY.”] If a request to fax highly sensitive PHI is made in connection with any legal proceeding, the appropriate service unit employee should immediately contact the applicable Office of General Counsel for advice and assistance.
- Authorized Personnel. Only individuals authorized pursuant to the policies and procedures of the particular IHS facility or Area Office shall fax, or accept by fax, patient PHI.
- Location of FAX Machine. The fax machine shall be physically located so that:
- It is not in a public area.
- Its use can be monitored by the person(s) designated by the facility to conduct such monitoring.
- Only authorized staff can have direct access to the fax machine.
- FAX Cover Page. Before transmitting any patient PHI, the sender must fill out a fax cover page containing, at a minimum, the following information:
- Facility's identification
- Date of transmission
- Number of pages being transmitted (including cover page)
- Authorized receiver's name
- Authorized receiver's telephone number
- Authorized receiver's fax number
- Sender's name
- Provider's name (if applicable)
- Sender's telephone number
- Sender's fax number
- Remarks on Special Instructions (if appropriate)
- Confidentiality Statement. The following is an example of an acceptable statement. ["This fax is intended only for the use of the person or office to which it is addressed and contains privileged or confidential information protected by law. All recipients are hereby notified that inadvertent or unauthorized receipt does not waive such privilege and that unauthorized dissemination, distribution, or copying of this communication is prohibited. If you have received this fax in error, please destroy the attached document(s) and notify the sender of the error by calling (enter applicable phone number and extension)."]
- Sending Information. Whenever the facility's authorized fax user(s) intends to send a fax, he or she shall comply with the following:
- Telephone the receiving facility to inform them that patient PHI are being faxed, confirm the fax number, and determine whether the fax machine is located in a secured area. If the fax machine is not in a secured area, request the authorized individual at the receiving facility to stand by the receiving facility's fax machine.
- Reconfirm the destination fax number prior to transmission by checking the telephone number displayed on the fax machine screen before transmitting the fax.
- Confirm the success of the transmission by calling the intended recipient or by checking the FAC Report.
- In the event that the fax is erroneously transmitted to the wrong fax number and the sender is aware that this error has occurred, he or she should immediately contact the erroneous recipient and request that the fax be destroyed by shredding.
- A copy of the fax cover page, or equivalent documentation, shall be placed in the patient's medical record. The fax cover page, or equivalent documentation, shall include confirmation of receipt of fax.
- Receiving Information. Whenever the facility's authorized fax user(s) receives an incoming patient PHI fax, he or she shall comply with the following:
- Remove the faxed PHI from the fax machine as soon as possible, once he or she is aware that the fax has been received.
- Count the number of pages received to verify the number of pages against the fax cover page. If page(s) are missing, the sender must be contacted and requested to retransmit the document.
- Read the fax cover page and follow any instructions.
- If the facility maintains an ARJ, document receipt of the faxed document on the ARJ.
- Notify the intended recipient that a fax was received.
- Unless the faxed PHI will at all times remain in a secured area, the faxed PHI must be hand delivered or placed in a sealed envelope and delivered to the intended recipient as soon as possible.
- If a fax has been erroneously transmitted to an IHS facility, the recipient of the fax shall inform the sender of the error. The fax must then be destroyed by shredding and these actions should be noted in the ARJ, if applicable.
Back To Top